How to plan for wireless network controllers?

We are moving our HQ building and will replace our existing wireless network that uses older Cisco aironet WAPs with something newer, either Cisco, Aruba, or Ruckuss. We'll probably run between 40 and 50 WAPs so we want them to be centrally managed (vs our existing model, where all WAPs are autonomous).

When using WAP controllers, do the controllers need to be at the same site as the WAPs? if I want to bring our other locations into a managed model can site A's controllers be used to manage sites B-Z or do I need to put a controller at each site we have WAPs? Some sites are small enough that we'll only have 1-6 WAPs vs our HQ which is the largest office will have the greatest number of WAPs.

Instead of hardware controllers we are also considering virtual controllers to be run out of an ESXi cluster. Any downsides to going this route? rack space will be at a premium so if we can virtualize the controller that will be an advantage.

Controllers are nice because you can easily tunnel traffic, like guest access, back and only deal with VLAN assignments in the core. Thus far all the controller-less options I've seen require you to go back and provision VLANs to each WAP which is a pain. Some vendors provision guest access onto the 'secure' network and rely on the local firewall rules in the WAP to keep people out of local resources. I much prefer the controller approach, L3 GRE tunnels from the WAPs to the controllers and drop guest access off on their own VLANs in the core or egress. There are pros and cons to any of the approaches. It is a matter of picking the approach that is best suited to your particular deployment.

Have you put any effort into looking at Meru. At our school board we've been using them and have been really impressed. Remote sites can tunnel back over wifi and everything. The support from them has been awesome too.

The downside to virtual controllers is usually around scaling and availability. Your VM environment must be up to use the wireless- which often isn't a problem but is worth thinking through.

Controllers aren't usually the problem in a design. I prefer controller based solutions, and Aruba has some of the finest- and their IAP is cool as well for small/medium or remote sites. I like Meraki/Cisco as well- but the aironet Cisco solution requires so many components and Meraki's hardware is cheap (failure prone cheap). I can't wait until Meraki uses Cisco engineered hardware but their software and model for control- that will be compelling and Aruba will have to innovate again.

Largely though I see Aruba and Cisco as feature equivalent having used both, and there must be something going on because the price is almost always pretty much equal. I'd got with the one you have more experience with.

The downside to virtual controllers is usually around scaling and availability. Your VM environment must be up to use the wireless- which often isn't a problem but is worth thinking through.

Controllers aren't usually the problem in a design. I prefer controller based solutions, and Aruba has some of the finest- and their IAP is cool as well for small/medium or remote sites. I like Meraki/Cisco as well- but the aironet Cisco solution requires so many components and Meraki's hardware is cheap (failure prone cheap). I can't wait until Meraki uses Cisco engineered hardware but their software and model for control- that will be compelling and Aruba will have to innovate again.

Largely though I see Aruba and Cisco as feature equivalent having used both, and there must be something going on because the price is almost always pretty much equal. I'd got with the one you have more experience with.

from what I can tell, the Cisco wireless could theoretically be broken down to just the wireless controller plus WAP, but there's all this other stuff that gets added on.

The NAC means there's a CAS and a CAM and there can also be a "Profiler". That's 3 farking servers to check if a wireless guest can authenticate and if they've got an up to date anti-virus.

Mind you, you can actually do the authentication on the controllers instead. LDAP, RADIUS, ACS (Cisco's authentication solution which will bridge to LDAP/AD) are all possible.

erratick's wish for Meralki's software/conceptual design to be overlaid on Cisco's hardware would be great, but I'm finding Cisco's older hardware to be overpriced and underperforming. The latter is taken care of now in newer hardware, and the former is taken care of by discounting (brand switching upgrade discounts are probable as well).